Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent malformed DNS queries executing JS on querylog/long term query pages #1665

Merged
merged 2 commits into from
Dec 23, 2020
Merged

Prevent malformed DNS queries executing JS on querylog/long term query pages #1665

merged 2 commits into from
Dec 23, 2020

Conversation

PromoFaux
Copy link
Member

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

What does this PR aim to accomplish?:
Fixes a potential vulnerability in the querylog/long term query pages

How does this PR accomplish the above?:
Escapes any data retrieved from the database for these pages, thus preventing executable code being run

What documentation changes (if any) are needed to support this PR?:
None

@PromoFaux PromoFaux requested a review from DL6ER December 23, 2020 15:40
@PromoFaux PromoFaux force-pushed the fix/escape-all-the-things branch 2 times, most recently from c568d05 to d6f7955 Compare December 23, 2020 16:17
@PromoFaux
Prevent malformed DNS queries executing JS on querylog/long term quer…
a28f4e4 
…y log

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
@PromoFaux
replace "~" by " " in getAllQueries response
62ac184 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
@DL6ER DL6ER merged commit 8d73511 into devel Dec 23, 2020
@DL6ER DL6ER deleted the fix/escape-all-the-things branch December 23, 2020 19:47
@PromoFaux PromoFaux mentioned this pull request Dec 23, 2020
Merged
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-core-web-v5-2-2-and-ftl-v5-3-3-released/41998/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DL6ER DL6ER DL6ER approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@PromoFaux @pralor-bot @DL6ER